Fix Guide
How to Fix Cookie Security Flags
One or more cookies are missing Secure, HttpOnly, or SameSite protections.
Recommended fix
Set Secure, HttpOnly, and SameSite where appropriate for session, auth, and preference cookies.
This guide is designed to pair with a scanner report. Run a URL scan first, then follow the implementation steps.
Developer task
Update cookie-setting code or framework config; validate Set-Cookie headers on HTTPS responses.
Implementation steps
How to apply this fix
- Identify the cookies missing Secure, HttpOnly, or SameSite from the Set-Cookie headers.
- Add Secure so cookies are only sent over HTTPS.
- Add HttpOnly to session/auth cookies that scripts do not need to read.
- Set an appropriate SameSite value (Lax or Strict) for the cookie purpose.
- Update framework config or cookie code and re-scan the HTTPS response to confirm flags.
Verify
Re-run the URL scan after deploying the change to confirm the issue clears and the Themerella Score updates.
Related guides